Commit Graph

4595 Commits

Author SHA1 Message Date
Dirk Wetter
e87b745c93
Merge pull request #2316 from dcooper16/cipherlists_doc
Update documentation for cipherlists tests
2023-02-05 19:25:02 +01:00
Dirk Wetter
05b4cdcc0d
Merge pull request #2317 from dcooper16/fix_html
Fix HTML output in Bash 5.2 and newer
2023-02-04 09:22:03 +01:00
David Cooper
3d82f7cb21 Fix HTML output in Bash 5.2 and newer
As noted in #2304, the way that the '&' character is treated in the string part of a pattern substitution changed in Bash 5.2. As a result, the change that was made in #1481 to accommodate older versions of Bash (e.g., on MacOS) now causes testssl.sh to produce incorrect HTML output when run on Bash 5.2.

This commit encodes the '&' characters in the substitution strings in a way that produces correct results on multiple versions of Bash (3.2 on MacOS, 5.2 on Ubuntu 23.10, 5.0 on Ubuntu 20.04).
2023-02-03 14:18:02 -08:00
David Cooper
b661f7b8d3 Update documentation for cipherlists tests
The sets of cipher lists checked by `run_cipherslists()` changed in 3.1dev, but the documentation was not updated.
2023-02-03 11:24:04 -08:00
Dirk Wetter
70237b2328
Merge pull request #2313 from polarathene/chore/dockerfile-remove-mkdir
chore: Remove redundant `mkdir`
2023-02-03 19:54:51 +01:00
Dirk Wetter
6c2663aeb6
Merge pull request #2311 from SSLbrain/3.1dev
Feature Trustcor certificates being removed/disabled from root stores #2293
2023-02-02 13:55:07 +01:00
Brennan Kinney
76b8f0c981 chore: Remove redundant mkdir
- If local folder ownership is for example `644` it will fail to handle the `COPY` regardless (while `744` would work).
- Creating the directory with higher permissions in the container does not appear to help.
2023-02-02 14:26:16 +13:00
Sole
3670c1e4ad Removed non-relevant CA's that no longer have active certificates. 2023-02-02 01:13:00 +00:00
Brennan Kinney
dc7d13b853 chore(Dockerfile): Simplify testssl user creation
Create `testssl` user (_and group_) with no password (`-D`) and default their shell to bash (`-s`):
- A group will implicitly be created with the same value as the user. `addgroup testssl` and `-G testssl` are not needed.
- Gecos data (`-g "testssl user"`) doesn't appear relevant to the project to be required? The default gecos value (`Linux User,,,`) should be fine.
2023-02-02 14:07:51 +13:00
Sole
9fc8c33704 Change exception for removed root certificates into easy edit multi-value regular expression for Organization name and making it clear that CA's are actively removed from 1+ root stores. 2023-02-02 00:42:15 +00:00
Brennan Kinney
74892e45c5 chore: Use a single COPY by better leveraging .dockerignore patterns 2023-02-02 12:49:30 +13:00
Dirk Wetter
e02e8be19f
Merge pull request #2306 from drwetter/upgrade_alpine_perf-fix
Upgrade Alpine version for both Dockerfiles
2023-02-01 19:45:57 +01:00
Dirk Wetter
beb94d9efc Upgrade Alpine version for both Dockerfiles
... to improve/mitigate performance problems, see #2299.
(musl libc vs. glibc)
2023-02-01 19:40:40 +01:00
Dirk Wetter
5a1a114adc
Merge pull request #2300 from drwetter/dependabot/github_actions/docker/build-push-action-4.0.0
Bump docker/build-push-action from 3.3.0 to 4.0.0
2023-01-31 09:37:28 +01:00
Dirk Wetter
0b5c414970
Merge pull request #2303 from drwetter/nntp_ci_remove
Remove NNTP from CI tests
2023-01-31 09:37:06 +01:00
Dirk Wetter
2e0898c9ef Remove NNTP from CI tests
Maybe for the future we should check whether host is available and
if so then run the test
2023-01-31 09:34:18 +01:00
dependabot[bot]
8ae8a6fc44
Bump docker/build-push-action from 3.3.0 to 4.0.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.3.0 to 4.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.3.0...v4.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-31 00:03:02 +00:00
Dirk Wetter
e9db257474 Start listing changes and contributions
... a few items by David and myself.

It's a WIP and there are missing points. Feel free to amend the
CHANGELOG.md and CREDITS.md.
2023-01-17 15:19:34 +01:00
Dirk Wetter
8099dc0106
Merge pull request #2297 from drwetter/ldap_starttls_improvements
Add logic for STARTTLS enabled AD servers
2023-01-17 14:27:01 +01:00
Dirk Wetter
fdd72d2785 Cleanup code, clarfy comments for AD/LDAP + STARTTLS 2023-01-17 14:23:53 +01:00
Dirk Wetter
fc2a020294 Add logic for STARTTLS enabled AD servers
There are two different scenarios. x0C is the buffsize reply from openldap-like servers
whereas AD servers probably have x84 and return also the OID. The following is kind of
hackish as ldap_ExtendedResponse_parse() in apps/s_client.c of openssl is kind of hard
to understand. It was deducted from a number of hosts.
Bottom line: We'll look at the 9th byte or at the 17th when retrieving the result code

AD:
30 84 00 00 00 7d 02 01 01 78 84 00 00 00 74 0a 01 34 04 00 04 55 30 30 30 30 30 30 30 30 3a 20 [ failed AD .. LdapErr + OID..]
30 84 00 00 00 28 02 01 01 78 84 00 00 00 1F 0A 01 00 04 00 04 00 8A 16 [.. OID ..]
   ^^ bufflen                                      ^^ resultcode

30 0C 02 01 01 78 07 0A 01 00 04 00 04 00
   ^^ bufflen              ^^ result code
2023-01-17 11:16:05 +01:00
Dirk Wetter
ce3bd4764f
Merge pull request #2296 from drwetter/dependabot/github_actions/docker/build-push-action-3.3.0
Bump docker/build-push-action from 3.2.0 to 3.3.0
2023-01-16 10:20:13 +01:00
dependabot[bot]
1b2f58d739
Bump docker/build-push-action from 3.2.0 to 3.3.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.2.0...v3.3.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 01:05:58 +00:00
Kali
0af73c2d19 fixed DNS via Proxy 2023-01-05 14:11:44 +01:00
Dirk Wetter
7670275e59
Merge pull request #2292 from drwetter/ldap_starttls_improvements
make starttls_ldap_dialog() more readable...
2022-12-27 22:06:12 +01:00
Dirk Wetter
c67cefaf8e add info about error handling 2022-12-26 19:15:49 +01:00
Dirk Wetter
336d3c947a better use safe_echo() 2022-12-26 16:14:26 +01:00
Dirk Wetter
b633efae69 make starttls_ldap_dialog() more readable...
... add references + better debugging output
2022-12-26 16:10:31 +01:00
Dirk Wetter
198bb09d51
Merge pull request #2282 from drwetter/drwetter-patch-2
Reflect past update for docker hub's Dockerfile
2022-11-28 17:09:04 +01:00
Dirk Wetter
0c807bea5b
Reflect past update for docker hub's Dockerfile
... using alpine 3.16
2022-11-28 14:10:13 +01:00
Dirk Wetter
9304bb80b8
Merge pull request #2281 from dcooper16/fix_whitespace
Fix whitespace issues
2022-11-25 18:23:58 +01:00
David Cooper
e2942966d2 Fix whitespace issues
This commit fixes incorrect indentations introduced in #2276 and #2278, and also removes the extra whitespace that would have been removed by #2279.
2022-11-25 07:44:48 -08:00
Dirk Wetter
6ba21a937a
Merge pull request #2278 from dcooper16/fix_extract_calist
Fix extract_calist()
2022-11-24 11:15:10 +01:00
David Cooper
907126a285 Fix extract_calist()
When a server supports client authentication, extract_calist() extracts the list of supported certification authorities sent by the server. extract_calist() uses different code to extract the list from a TLS 1.3 response than from a TLS 1.2 or earlier response, since the CertificateRequest message was changed for TLS 1.3.

For TLS 1.2 and earlier, extract_calist() assumes that the CertificateRequest message is a sequence of certificate types, signature algorithms, and certification authorities. However, the signature algorithms field was added in TLS 1.2 and does not appear in TLS 1.1 and earlier. So, the current code does not work unless the server supports TLS 1.2 or TLS 1.3.

This commit fixes the problem by checking whether the response is a TLS 1.2 response, and skipping over the extraction of the signature algorithms field if the response is neither TLS 1.2 nor TLS 1.3.
2022-11-23 08:35:45 -08:00
Dirk Wetter
a4666087e8
Merge pull request #2265 from dcooper16/server_sig_algs
Show server supported signature algorithms
2022-11-23 11:11:02 +01:00
David Cooper
c7644ad58e Limit size of signature_algorithms extension
Some servers get confused if the signature_algorithms extension is too large. This commit addresses the problem by:

* For TLS 1.2, generally limiting the signature algoritms to those consistent with the key type being tested.

* For TLS 1.3, breaking the list of signature schemes in two, and testing each half of the list separately.
2022-11-18 06:23:24 -08:00
David Cooper
6088eddab6 Show server supported signature algorithms
This commit modifies run_fs() to show the signature algorithms the server supports in the ServerKeyExchange message for TLS 1.2 and in the CertificateVerify message for TLS 1.3.

Signature algorithms are not shown for TLS 1.1 and earlier, since for those protocol versions the signature algorithm to use is specified by the protocol. While the signature algorithm used in TLS 1.1 and earlier is weak, testssl.sh already warns if these protocol versions are supported.
2022-11-18 06:23:24 -08:00
Dirk Wetter
462a602625
Merge pull request #2276 from dcooper16/pem_fileout
Fix #1747
2022-11-18 11:06:26 +01:00
David Cooper
3eb8cf6754 Fix #1747
This commit fixes #1747 by converting PEM encoded certificates that are sent to fileout() to a single line. As suggested in #1747, '\n' is added after the '----- BEGIN ... -----' line and before the '------ END ... ------' line.

In order to ensure that '\n' appears in the string in the JSON and CSV files, '\\n' is sent to fileout() so that 'printf -- "%b"' converts '\\n' to '\n' rather than converting '\n' to a newline character.

In order to prevent fileout() from converting '\\n' to '\ ', this commit move the fix for #2049 (see PR #2050) from fileout() to fatal().
2022-11-17 06:31:52 -08:00
Dirk Wetter
827782cd58
Merge pull request #2275 from drwetter/remove_negotiated
Remove Negotiated cipher / protocol in server preferences
2022-11-15 09:28:38 +01:00
Dirk Wetter
e918a2c31f remove negotiated cipher / protocol also in baseline file 2022-11-14 20:25:56 +01:00
Dirk Wetter
1842b9eefb Remove Negotiated cipher / protocol in server preferences
As a first cleanup action I removed in run_server_preference()
the line with Negotiated Protocol and Negotiated Cipher as
the don't have any real information, see #2235 , comment below:
https://github.com/drwetter/testssl.sh/pull/2235
2022-11-14 17:23:13 +01:00
Dirk Wetter
0dac50c830
Merge pull request #2272 from dcooper16/fix2271
Fix #2271
2022-11-11 16:27:18 +01:00
David Cooper
43fade414c Fix #2271
This commit fixes #2271 by adding the `-no_ssl2` option to the call to get_host_cert() in run_drown(). There is at least one server that causes OpenSSL to hang if this call to get_host_cert() results in an SSLv2 ClientHello being sent. Since this call to get_host_cert() only needs to find the server's certificate in cases in which the server does not support SSLv2, there is no need to send an SSLv2 ClientHello.
2022-11-10 11:24:56 -08:00
Dirk Wetter
92a80f7f86
Merge pull request #2268 from drwetter/mastodon
Hint for mastodon
2022-11-10 15:11:41 +01:00
Dirk Wetter
c403249678
Hint for mastodon
... and to a separate account
2022-11-10 15:09:03 +01:00
Dirk Wetter
6716dc7465
Merge pull request #2261 from osown/3.1dev
if PROXY variable is set there is no need to do a direct connection attempt
2022-11-10 10:52:14 +01:00
Dirk Wetter
2b0fdfdf64
Merge pull request #2262 from dcooper16/run_fs_infnite_loop
Fix infinite loop in run_fs()
2022-11-10 09:43:29 +01:00
Dirk Wetter
a4419fa9c9
Merge pull request #2264 from dcooper16/padding
Clean up adding padding
2022-11-10 09:37:42 +01:00
Dirk Wetter
dda579cdf2
Merge pull request #2266 from dcooper16/fix2249
Fix #2249
2022-11-10 09:22:35 +01:00